Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Current port usage

I currently have my LAN to WAN rule with ports and services set to Any. I'd like to limit that but I don't want to interrupt legitimate traffic out. Can you direct me to a guide or tell me how I figure which ports and services we're currently using?

Category: Entry Level Firewalls
Reply

Best Answers

Answers

  • Hi @SamB ,

    I agree with Mahmoud. You can start with the well known traffic like DNS(UDP 53), web traffic - HTTP(TCP 80) and HTTPS(TCP 443), Email traffic - SMTP(TCP 25), IMAP(TCP 143 and secure one uses 993), POP3(TCP 110 and secure one uses 995) and SMTPS(TCP 465 and 587). These are usually essential for all networks. Then you can start monitoring traffic and add the rest of the services.

    If some applications are absolutely essential, their websites usually lists a number of ports that are crucial for them to function.

    I hope that helps!

    Thanks,

    Shipra Sahu

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SaravananSaravanan Moderator

    Hi @SamB,

    For the scenario of tracing the TCP / UDP ports used by local devices / computers in your network, packet monitor feature in the SonicWall can provide greater help. Please follow below instructions to set the packet monitor on the SonicWall.

    • Navigate to INVESTIGATE | Packet Monitor.
    • Click on "Monitor Default" to clear out any previous capture parameters.
    • Click on "Configure"
    • In Settings Tab, disable all the check boxes.
    • Navigate to the "Monitor Filter" tab and specify the only fields as shown below,
    1. Ether type:   IP
    2. IP type:    TCP, UDP
    3. Source IP:   Specify the IP address of the local network PC or Laptop from where we'll try to pass some traffic.
    4. Enable the checkbox “Enable Bidirectional address and port matching" and other check boxes should be left unchecked.
    • Navigate to "Display Filter" Tab, ensure all fields are empty and enable all check boxes.
    • Navigate to the "Advanced Monitor Filter" tab and enable all check boxes.
    • Click "OK" to save the parameters.
    • Click "Start Capture".
    • Click OK, and Start Capture.
    • Please click on Refresh option in the packet monitor page to see the traffic.
    • Once the necessary packets are captured, click on "Stop Capture".

    You get options to export the captured packets in formats such as pcapng, libpcap, html and text.

    Please post here for any further questions or clarifications.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • MicahMicah admin

    Hey @SamB! Hope you are well. Did any of the above responses help you with your query? Let us know!

    @micah - SonicWall's Self-Service Sr. Manager

  • SamBSamB Newbie ✭

    Hi,

    I followed Mahmoud's instructions but I'm still getting some traffic hitting the Any/Any policy. Is there a way on the packet monitor to filter it down by the priority 10 access rule so I can see what I'm missing? I've only found that I can see there's usage based on the traffic statistics in the Firewall - Access Rules page.

    Thanks!

  • Hello @SamB,

    Feel free to use this KB below

    You can then capture the packets that are using that specific access rule at priority 10.

    I hope that helps!!

    Thanks

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SamBSamB Newbie ✭

    Hi,

    I don't see how that narrows it down to the rule at priority 10. Do I need to go through all 200 of my rules to make sure none of the other ones have that checked?

    Thanks!

  • Hello @SamB,

    This is a troubleshooting option. It is not enabled by default. You can enable it on the rule for which you would like to perform the packet capture.

    So, please enable that check box on the Any, Any, Any rule and you can monitor which traffic is going through that specific generic rule.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • MasterRoshiMasterRoshi Moderator

    @SamB Enable local appflow logging and monitor the connections. See below.



  • MasterRoshiMasterRoshi Moderator

    If you need more detailed drill down capabilities and long term retention -- talk to your account manager about CSC analytics or On-prem Analytics.

  • SamBSamB Newbie ✭

    I think I have this figured out. It took a couple of your comments. First I used the connection manager as MABDELJAWAD suggested. That was pretty easy to look through. Then I created the rule above the Any-Any rule with those ports and, as NEVYADITHA suggested, turned on packet monitor on the Any-Any to see what was getting through. It was a lot. So then I had to look through that every so often to see what else needed to be added. I'm still doing that now.

  • NevyadithaNevyaditha Moderator

    Thank you for the update @SamB !!

    Nevyaditha P

    Technical Support Advisor, Premier Services

Sign In or Register to comment.